Headline
CVE-2022-36749: š | Command Injection and XSS vulnerabilities reports Ā· Issue #1859 Ā· MiczFlor/RPi-Jukebox-RFID
RPi-Jukebox-RFID v2.3.0 was discovered to contain a command injection vulnerability via the component /htdocs/utils/Files.php. This vulnerability is exploited via a crafted payload injected into the file name of an uploaded file.
I would like to report for possible vulnerability.
//line 136 if(isset($_GET[āfolderā]) && $_GET[āfolderā] != āā) { $post[āfolderā] = $_GET[āfolderā]; } else { if(isset($_POST[āfolderā]) && $_POST[āfolderā] != āā) { $post[āfolderā] = $_POST[āfolderā]; } } if(isset($_GET[āfilenameā]) && $_GET[āfilenameā] != āā) { $post[āfilenameā] = $_GET[āfilenameā]; } else { if(isset($_POST[āfilenameā]) && $_POST[āfilenameā] != āā) { $post[āfilenameā] = $_POST[āfilenameā]; } } //line 249 $fileName = Files::buildPath($post[āfolderā], $post[āfilenameā]); $exec = āmid3v2 -l 'ā .$fileName ."ā" ;
public static function buildPath(ā¦$pieces) { return implode(DIRECTORY_SEPARATOR, $pieces); }
So the attacker can control the command injection through the filename.
The attacker can add ā;ā and add another command like (echo <script>alert(document.cookie)<\script>.
The output pf the command will be printed through this path.
//line 252 // note: the output of the command is in $res $lines = explode(PHP_EOL, $res); foreach($lines as $line) { $parts = explode("=",$line); $key = trim(array_shift($parts)); // take the first $val = trim(implode("=",$parts)); // put the rest back together if (in_array($key, $trackDat[āmetaKeysā][āmp3ā])) { $trackDat[āexistingTagsā][$key] = $val; } } //line 496 if (isset($trackDat[āexistingTagsā][āTCOMā]) && trim($trackDat[āexistingTagsā][āTCOMā]) != āā) { echo trim($trackDat[āexistingTagsā][āTCOMā]); }
Finally, I recommend using escapeshellarg function with the $_GET[āfolderā], $_POST[āfolderā], $_GET[āfilenameā] and $_POST[āfilenameā]